Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

ES vulnerable to Log4Shell?

BWCBWC Cybersecurity Overlord ✭✭✭

Hi,

considering the fact the Email Security is using Log4j2 2.11.2 I'am asking myself the question if the system is vulnerable to CVE-2021-044228 aka Log4Shell?

@David W or @Gailand do you have more insight because it should be checked at SNWL by now?

--Michael@BWC

Category: Email Security Appliances
Reply
«1

Answers

  • David WDavid W SonicWall Employee

    @BWC We can check with engineering but keep in mind that in most cases we cannot comment unless it's in release notes.

    Can you open a case for that and I can have Gailand follow up.

    David Wilbur

     Technical Support Senior Advisor, Premier Services , SME Email Security

  • BWCBWC Cybersecurity Overlord ✭✭✭

    According to the latest information on PSIRT, ES 10.x is not affected:

    But the conclusion looks a bit strange to me, because "Apache Log4j project disclosed CVE-2021-44228, which is a Critical (CVSS 10.0) remote code execution vulnerability affecting Apache Log4j2 version<= 2.14.1. A subsequent security patch was released on Dec 10, 2021." and according to the Status information on a current ES 10.0.11 deployment it states Log4j2 2.11.2 as component in the about.html.

    I hope for the best and forward the PSIRT to my clients.

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭
    edited December 2021

    Is this a bad joke? PSIRT changed it's mind to

    After review, version 10.x appears to be impacted by CVE-2021-44228. SonicWall is reading a HotFix to remediate the issue, which will be released shortly.

    Thankfully I did not forwarded the false information to my customers because it seems my suspicion was right.

    One aspect which is still fuzzy, at least to me, is it only exploitable via HTTP/S or is SMTP a vector as well? Is it possible to send one of these JNDI strings in the SMTP dialog and have this logged and parsed?

    --Michael@BWC

  • TMLGTMLG Newbie ✭

    Use ESA here. Would like to know too.

  • Maybe ESA is using it on some where not https.

    We have ran tenable scan on https port which return no result. Also tested simple POC curl cmd with https://log4shell.huntress.com/

    Result still negative. Not sure why they switch the content, maybe it only affected on certain condition.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    My hunch was correct, SMTP is an option (shown below for Apache James), great, so any customer is at (potential) risk, even those not publishing HTTP/S. No word from SNWL so far, radio silence on my Engineering Ticket.

    --Michael@BWC

  • David WDavid W SonicWall Employee

    Everyone please remember that there will be no official comment to this issue here in the community due to this being a vulnerability.

    Also there will most likely be nothing on your Jira BWC until there is a formal announcement.

    We do not use Apache for SMTP either.

    The SMTP engine is our own coded product.

    David Wilbur

     Technical Support Senior Advisor, Premier Services , SME Email Security

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @David W I know it's the code from MailFrontier, but if this code is using log4j, aren't we back at square one?

    Apache James was just an example that it is not HTTP/S only, any service can be at risk.

    --Michael@BWC

  • David WDavid W SonicWall Employee

    The SMTP code does not use anything from Apache.

    Please be watching the page for any updates on this issue.

    You will see updates to it throughout the day.

    David Wilbur

     Technical Support Senior Advisor, Premier Services , SME Email Security

  • tbrametbrame Newbie ✭

    Any update on this? I've seen no updates "throughout the day..." Asking for a friend.🙄

  • C_ZC_Z Newbie ✭

    Hi,

    jeah, a friend of mine is also very interested 🤨. Is there any update on this topic?

    KR, Chris

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @tbrame @C_Z you can't expect fast and accurate information of another CVSS 10 these days 😪, I'am sure behind the scenes SNWL is working hard on this, but as usual not very communicative to the outside.

    Friends don't let Friends hanging in the dark.

    --Michael@BWC

  • C_ZC_Z Newbie ✭

    @BWC: It would calming me down to know if it's enough to disable all access except the smtp port. That's what we have done.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @C_Z I feel you and this is what I expected from a vendor in the first place. If blocking HTTP/S is the one and only needed mitigation until a fix is available everything would be somewhat fine. But not knowing if the essential SMTP service is at risk causes some anxiety.

    But this might be corporate policy, in retrospect 2021 was not a good year in ramping up the communication. SMA, just sayin.

    --Michael@BWC

  • tbrametbrame Newbie ✭

    SWL seems quick to put a marketing slick for the event, time to clean up there own side of the street though. Totally agree, at least let us know if SMTP service is at risk or not.

  • C_ZC_Z Newbie ✭
    edited December 2021

    @David W Can you please give an advise or talk to your management immediately that this is not an appropriate way to handle a security incident of this dimension. It's a CVSS of 10.0!

    We need advise because your (SNWL) system is a main and critical part of our infra. Beeing vulnerable here is not a small mather. Our companies trust in SNWL and SNWL damages its reputation and gambles away trust. Every single other company has managed to publish an advice for mitigation in the last 24h - not SNWL.

    Btw. what do you mean with "shortly" in this advisory? https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032

    KR, Chris

  • TMLGTMLG Newbie ✭

    Yes, agree with @C_Z here. We need to know if the SMTP is vulnerable to exploitation. I've closed off everything but ports 25 and 587 and I've even tried testing the SMTP with Huntress Log4Shell tester and come up with nothing, but I'm not a sophisticated hacker to be able to really know for sure.

    A comment from SW about whether the SMTP is vulnerable to exploitation would be most useful here. Otherwise, those of us who use ESA are without any peace of mind.

  • tbrametbrame Newbie ✭

    Looks like a patch was just posted for this. Good luck and stay safe!

  • BWCBWC Cybersecurity Overlord ✭✭✭
  • DT_AIDT_AI Newbie ✭

    @BWC , I was about to update the firmware for ES 5000 and you just dropped this news. I guess I will hold a little longer.

    And, hoping SMTP/IMAP/POP3 is not the vulnerable.

    I am following you since DEC 10 BTW. Thanks for sharing the updates.

    DT_AI

  • C_ZC_Z Newbie ✭

    @BWC Yes, it's not good but not so bad either (CVSS 3.7). I'm wondering SNWL is doing so bad with communication. It's like back in the 80's/90's: security by obscurity. I'm feeling old now and it would be nice if SNWL management would arrive in this century with a appropriate communication for IT professionals.

    @David W Is there now any information on which services were affected?

  • TMLGTMLG Newbie ✭

    I applied the latest patch to my ESA and so far, nothing has changed (that's a good thing). Hoping the new vulnerability just discovered doesn't affect the current patch.

  • It is proved that HTTPS is vulnerable to RCE on 10.0.11.

    10.0.12 already fixed the HTTPS issue.

    The new vulnerability is not a critical one, dont think they will and it need immediate patch.

  • DT_AIDT_AI Newbie ✭

    Applied the latest patch on ES 5000 and seems working good so far.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Even a CVSS 3.7 which could lead to "just" a DoS attack should be fixed ASAP, at least in my opinion. log4j 2.16 is available and 2.15 is incomplete, doesn't sound that hard to do. Customers are not that happy seeing their SMTP gateways at any (avoidable) risk.

    No word from SNWL if they removed the JndiLookup Class manually, which would be another mitigation.

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭
    edited December 2021

    CVE-2021-45046 got a bump from 3.7 to 9.0 ... still ignoring?

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Well, it keeps on coming, CVE-2021-45105 is the new member of the log4j debacle, CVSS 7.5 (High).

    It seems another patch with log4j 2.16 is coming, according to PSIRT, but this will not cover the above. 2.17 is the recommended version (by now).

    I already added this to my Engineering Ticket, but I'am sure SNWL is aware already.

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Maybe the next update for on-premise deployments is near, at least HES got another update to 10.0.13.7219.

    This is all speculation, because as usual there is no specific information from SNWL.

    --Michael@BWC

  • they have updated the advisory.

    A new ES HotFix is undergoing testing to include 2.17.0 to address CVE-2021-45046 and CVE-2021-45105. Customers should expect to receive direct communication regarding firmware upgrades, and the planned release including log4j 2.17.0 is tentatively set for 22-DEC-2021.

  • TrevorTrevor Newbie ✭

    I got an e-mail telling me to immediately upgrade to 10.0.13 but it's not showing as available...

Sign In or Register to comment.